GRC Tuesdays: GDPR Is about More Than Data Management, It’s about Governance
As you know, the General Data Protection Regulation (GDPR), or Regulation (EU) 2016/679, is the revision to the European Union (EU) data protection law that becomes enforceable on 25 May 2018. Lately, I’ve been noticing that several software solutions and presentations focus on the data management aspects of GDPR. The ‘consent, deleting, blocking, retention’ spectrum of GDPR compliance. Of course, this is necessary, and a good starting point.
However, the challenge posed to companies by GDPR is more about the organisational and procedural changes that will be necessary to demonstrate that a company is taking seriously the need to protect personal data as a business as usual regime through all echelons of stakeholders, operations, technology, and partnerships.
The figure below indicates why this is necessary. It shows the complexity of GDPR by linking interrelationships between the 99 Articles in the Regulation.
Almost half of the Articles in GDPR are related to business procedures associated with policies, record keeping, accountabilities of roles and entities in order to demonstrate that a company’s approach to handling personal data is taken as seriously as the regulation requires.
Processing shall be lawful only if the data subject has given consent to processing of personal data (or one of the other 5 reasons) for a specific purposes, and each purpose must be distinct. Each data processing activity must connect to a purpose that has a finite business scope, specific lawful reasons for conducting it, and a finite lifetime.
The fact that so many of the Articles reference each other indicates the need for robust, enterprise-ready, holistic policy and process compliance software to address this plate of regulatory spaghetti. The governance is a challenge.
Why GDPR Is a Bit Like Wiretapping
Let me use wiretapping as a topical analogy to separate the technical from the governance aspects.
Conducting modern wiretapping is a technical task requiring modern hi-tech kit (or hardware), leading-edge software, and smart and experienced people. This is the equivalent of the data-play conversation in GDPR: how to tag data, delete data, block access to it, archive it with legal retention periods, and so on.
However, the parallel activity —and many would argue a more important aspect—is the actual governance of wiretapping. This governance includes whether a wiretapping should take place, who approves it, what is the duration and scope, and what levels of intrusion are acceptable. This is the equivalent of the governance of GDPR, or the meat that the supervising authorities will want to pick over as evidence of compliance.
The Controller’s Responsibilities
GDPR Article 5 chapter 2 requires that “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”
I was talking to someone recently and they picked out Article 30 as a troublesome area, so to help me understand it I created the mind-map diagram below. It spells out in detail the record keeping requirements of processors and controllers.
Data processors now have direct obligations, like controllers. They must maintain a written record of the processing categories carried out on behalf of each controller, and notify each controller as they become aware of a data breach without undue delay.
Controllers must maintain a written record processing activities.
So as in the wiretapping analogy, it’s not enough to be able to technically achieve the requirement. Tight governance has to be maintained on how the task is managed.
Compliance Must be Done, and be Seen as Done
The governance complexity becomes an almost exponential equation:
- Multiply these duties by number of purposes (with dates when they expire), business activities and new initiatives,
- Factor in business units engaged in all or parts of these activities,
- Add software systems that deliver the content and analysis,
- And finally, consider categories of data subjects, categories of processing, post-processing retention requirements, sub processors, and relevant contact people.
Companies need to document all of the following and be able to show evidence to the regulator. In other words, the governance expectations of data controllers and data processors is significant. And this is really why companies have been given two years to implement GDPR— because to demonstrate compliance with the regulation (and avoid the eye-watering fines) an organisation has to show on-going and systematic accountability, good governance, and sustainable procedures to the regulator.
Just as well SAP has SAP Process Control in its GRC and Security suite.